User identity privacy in authorization certificates

ABSTRACT

The present invention relates to methods, devices, computer program products as well as a signal for providing privacy to a user in relation to data, which data can be a content identifier (cr_id) for identifying content. For that reason a usage right certificate (UR) generated in relation to the data, includes the data (cr_id), concealed user identifying information (for example by using (H(PK//RAN)) and random data (RAN)) enabling the verification of the user identity in the user identifying information. In this way a user is guaranteed privacy in relation to information, such as content he has purchased.

The present invention generally relates to the fields of digital accesscontrol, digital rights management, and similar fields of technology.The invention is more particularly related to providing privacy inrelation to authorization certificates for digital content.

It is known to provide different types of digital authorization andaccess control systems over for instance the Internet where public andsecret keys are used for authorization purposes. Examples of tools thatcan be used in such systems are SPKI (Simple Public Key Infrastructure)and SDSI (Simple Distributed Security Infrastructure).

Within the framework of SPKI it is known to use authorizationcertificates, which associate a public key with an authorization, wherethe authorization can be related to some type of informational content,and where the public key represents some entity such as a user or adevice.

Authorization certificates can be used in a system for giving a useraccess to some content. A first user can then when using these types ofsystems contact a content provider and purchase or access some type ofcontent. In the process of purchasing the first user uses a public andsecret key for identifying himself and the content provider issues anauthorization certificate that states that the first user has certainrights in relation to the content and is used for guaranteeing himaccess to the content. The certificate therefore includes someinformation identifying the first user. The authorization certificate isa public document, which is used by the first user and could be used byother users having a relation to this first user for accessing thecontent. This means that basically any person can find out about whatcontents or other information the first user might be interested in bychecking the user identifying information in the certificate. This is asimple task if the user identifying information is a public key of theabove-mentioned type. There is therefore a need for keeping the identityof a user secret in these types of certificates, while at the same timeallowing the user and any possible related user access to the content ina simple manner.

In “Privacy and Accountability in Certificate Systems”, by T. Aura andC. Ellison, Helsinki University of Technology, Espoo, Finland 2000, ISBN951-22-5000-4, ISSN 0783-5396, anonymity techniques which addressthreats to privacy in the context of SPKI authorization certificates arediscussed. The techniques discussed consist of:

key-oriented access control, that is the idea of using public keysrather than names in the certificates,

certificate reduction, an approach in which in order to prevent thetracking of public keys in certificate chains, intermediate keys in achain of certificates are hidden, and

temporary and task-specific keys, an approach in which the public keysof the users are changed often and new keys are created for new tasks.

The above techniques have limitations, which are discussed below.

Key-oriented access control: the use of a public key offers some degreeof privacy, but this approach is limited in that a public key is aunique identifier of the user and binding a key to its owner may not bea difficult task.

Certificate reduction: this is a good solution for providing privacywith respect to the hierarchical organization of certificate chains, butthere is the limitation that the key at the end of the chain cannot behidden with reduction.

Temporary and task-specific keys: the limitation of this approach is thekey management, i.e. the cost of changing and keeping track of keys,which can be a burden for users and/or certificate issuers.

There is thus a need for a solution to the above-mentioned problem ofproviding privacy to a user in the context of publicly accessibleauthorization certificates, since they associate an identity or a publickey to an authorization, which the user may prefer to keep private.

It is thus an object of the present invention to provide privacy for atleast one user of obtained authorizations that can be used in an accessand authorization system, while at the same time allowing the proper andsecure check of the user's entitlements to said authorization.

According to a first aspect of the present invention, this object isachieved by a method of associating data with users involving:

associations between

-   -   user identifying information and    -   data,

characterized in that

-   -   concealing data is used to conceal a user identity in the user        identifying information, such that it is possible to check for a        given user identity whether the association applies to it.

Data can comprise content reference identifiers, attributes, content,text, etcetera

According to a second aspect of the present invention, this object isalso achieved by a method of giving a user access to information inrelation to an association between a user and data including the stepsof:

receiving from a user a request concerning said data using useridentifying information related to the user,

retrieving the association including user identifying information thathas been concealed using concealing data,

checking the concealed user identifying information in the association,and

providing the user with information related to the data based on acorrespondence between the concealed user identifying information in theassociation and user identifying information at least linked to theuser.

According to a third aspect of the present invention, this object isfurthermore achieved by a device for hiding the identity of a user in anassociation between said user and data arranged to:

conceal user identifying information using concealing data for provisionof the concealed user identifying information in the association.

According to a fourth aspect of the present invention, this object isalso achieved by a device for giving a user access to information inrelation to an association between a user and data arranged to:

receive a request from a user concerning said data including useridentifying information relating to the user,

retrieve an association between the data and a user including useridentifying information, which has been concealed using concealing data,

check the concealed user identifying information in the association, and

provide the user with information related to the data based on acorrespondence between the concealed user identifying information in theassociation and user identifying information at least linked to theuser.

According to a fifth aspect of the present invention, this object isalso achieved by a device for obtaining information in relation to anassociation between a user and said data arranged to:

receive user identifying information related to a user that has beenconcealed using concealing data, and

send a request concerning said data including the concealed useridentifying information,

so that an association between the user and said data comprising theconcealed user identifying information can be received.

According to a sixth aspect of the present invention, this object isalso achieved by a device for providing information in relation to datawhile concealing the identity of at least one user in relation to anassociation between the user and said data arranged to:

receive a request concerning said data including the user identifyinginformation which has been concealed using concealing data, and

provide an association between the user and said data comprising theconcealed user identifying information.

According to a seventh aspect of the present invention, this object isalso achieved by a computer program product for giving a user access toinformation in relation to an association between a user and data, to beused on a computer comprising a computer readable medium having thereon:

computer program code means, to make the computer execute, when saidprogram is loaded in the computer:

upon reception from the user of a request related to said data usinguser identifying information related to the user,

retrieve an association between a user and said data including useridentifying information that has been concealed using concealing data,

check the concealed user identifying information in the association, and

provide the user with information related to the data based on acorrespondence between the concealed user identifying information in theassociation and user identifying information at least linked to theuser.

According to an eighth aspect of the present invention, this object isalso achieved by a computer program product for hiding the identity of auser in an association between said user and data, to be used with acomputer comprising a computer readable medium having thereon:

computer program code means, to make the computer execute, when saidprogram is loaded in the computer:

conceal user identifying information using concealing data for provisionof the concealed user identifying information in the association.

According to a ninth aspect of the present invention, this object isalso achieved by a computer program product for providing information inrelation to data while concealing the identity of at least one user inrelation to an association between the user and said data, to be usedwith a computer comprising a computer readable medium having thereon:

computer program code means, to make the computer execute, when saidprogram is loaded in the computer:

provide an association between the user and said data comprising useridentifying information that has been concealed using concealing data.

According to a tenth aspect of the present invention, this object isalso achieved by a data signal for use in relation to data andcomprising an association between a user and said data, whichassociation includes user identifying information that has beenconcealed using concealing data.

The dependent claims are all directed to advantageous variations of theinventive concept.

The general idea behind the invention is thus to provide anauthorization certificate comprising a concealed user identifier andauthorization data. This authorization certificate can then be used whenthe user makes use of the authorization he is entitled to.

These and other aspects of the invention will be apparent from andelucidated with reference to the embodiments described hereinafter.

Embodiments of the present invention will now be explained in moredetail in relation to the enclosed drawings, where

FIG. 1 shows a block schematic of a system according to the inventionoutlining the principles of the invention,

FIG. 2 shows a flow chart of a method of obtaining the right to contentfrom a content provider,

FIG. 3 shows a flow chart of a method of accessing content by a user whohas obtained the right to use content,

FIG. 4 shows a flow chart of a method of accessing content by a user ofa group having access to the content purchased by the first user,

FIG. 5 shows a flow chart of a variation of the method of obtainingcontent by a user of a group having access to the content purchased bythe first user,

FIG. 6 shows a flow chart of a first variation of a method of accessingcontent by a user who has obtained the right to content,

FIG. 7 shows a flow chart of a second variation of a method of accessingcontent by a user who has obtained the right to content,

FIG. 8 schematically shows a computer readable medium in the form of aCD ROM disc including program code for performing at least parts of theinvention,

FIG. 9 schematically shows a computer readable medium in the form of asmart card where certain elements of the invention are provided likeencryption keys, and

FIG. 10 schematically shows a signal including a usage rightcertificate.

The present invention relates to the field of providing privacy for atleast one user in relation to the publicly available association oftheir identity to data. Data can here be provided in the form ofauthorizations, as in the context of SPKI authorization certificates,and authorizations can here be provided, as in a first embodiment of thepresent invention, in the form of rights to access or ownership of dataor content. In this embodiment, the content can be accessed also by agroup of users in a common privacy domain. A common privacy domain canbe defined using the framework of SPKI for letting several users groupedtogether share content obtained by each one of them. A group can forinstance be a family. The grouping together of these users can in thiscontext be done by providing a certificate including user identifyinginformation in the form of the public keys of all the users of thegroup, which certificate is here called a domain certificate.

In such systems a purchaser of content can get access to the content bymeans of a user right certificate. Other users of the common domain, towhich the purchasing user belongs, can also get access to the contentthrough an access right function checking the usage right certificate aswell as through checking the domain certificate. A usage rightcertificate is here a specific form of an authorization certificate inthe form of a publicly known association between the user and the dataor content.

FIG. 1 schematically shows a block schematic of a system including anumber of public devices 22, 24 and 20 which users are using for amongother things obtaining content that is coded and that can be accessedthrough authorization and checking of if a user has the right to thecontent or not. In this regard the devices are communicating with apublic server 11 having a control unit 14 connected to a domaincertificate store 12, to a usage right certificate store 16 and to acontents store 18. In the Figure it is also shown a content provider 26,which is accessed by the user with device 20, but which may providecontent and usage right certificates directly to server 11. Its controlunit 14 stores content in store 18 and usage right certificates in store16. In order to be able to purchase and access content each user isprovided with for example a smart card (not shown), which is used forauthentication and encryption purposes.

It should be realized that the implementation of the system can bedifferent than what is shown in FIG. 1. In FIG. 1 there is for instancea central content store and a central usage rights certificate store. Itshould be realized that usage right certificates can be provided locallyin the devices of the users as well or there might be another device,which holds these certificates and content. Content and correspondingusage right certificates might furthermore be provided in differentdevices, which might be anywhere in a public network of devices. In thiscase, the content provider provides content and usage rightscertificates to those different devices in the public network. Thedomain certificate might also be provided in some other device than theserver, which can be also a public device. Moreover the devices 20, 22and 24 can be users' devices as well as public devices.

Purchasing of some type of content will now be described in relation toFIGS. 1 and 2, where FIG. 2 shows a flow chart of a method of purchasingcontent. In this case each user has some user identifying informationwhich is normally provided in the form of a public key, i.e., a key thatis known or available to the whole system.

Let us first assume that a first user using a first device 20 wants topurchase some content from the content provider 26, which content canfor example be an MP3-file. The first user furthermore wants to buy thecontent anonymously. In order to do this he uses a prepayment schemewhere he buys a token with a secret security identifier on it Afterhaving done this, the first user conceals information that identifieshim, which in this case is his public key PK using concealing data inthe form of a random number RAN generated in his smartcard or in device20, step 30. The act of concealing is in a preferred embodiment done byusing a hash. The hash H is made on a concatenation of the useridentifying information, i.e. the public key PK, and the random valueRAN, which is expressed as:H(PK//RAN)

This represents a commitment made by the first user to the value of hispublic key. Once this concealing has been performed using the randomvalue, it remains fixed for reissues of that certificate. The randomnumber RAN is also fixed and remains so for the certificate. This valueRAN is also retained for every possible further anonymous reissue of thecertificate in relation to purchased or obtained content. The first userthen sets up an anonymous channel to the content provider and sends arequest to a certain piece of content, step 32. The request includes acontent identifier cr_id, the concealed public key H(PK//RAN) as well asthe secret security identifier and the random value RAN. When thecontent provider 26 receives the request it first checks the validity ofthe secret security identifier and invalidates that identifier in orderto prevent a double spending, step 34. Thereafter the content providergenerates and signs an association between the user and data in the formof a usage right certificate UR, step 36. The usage right certificate URthen has the following content:UR={cr_id, H(PK//RAN), RAN}_(signCP),where signCP is the signature of the content provider.

The content provider thereafter sends the usage right certificate UR aswell as the content just purchased, step 38. The content provider cansend this certificate and the content directly to the device of theuser, if the user requests so. In order, however, to have a centralstorage for those items, the provider sends the usage right UR and thecontent directly to the central storage server 11, from where they canbe retrieved later. The usage right certificate UR is then stored inusage right store 16 of the server 11 and the content is stored in thecontent store 18 of the server 11. The usage right certificate is publicinformation, but in this way there is no direct link between the publickey PK of the purchaser or first user and the purchased content. Sincethe public key is hashed with a random value, which is different foreach piece of content cr_id, the usage right certificate UR of the samepublic key for different pieces of content cannot be linked, andtherefore a malicious party cannot find out what contents a specificuser has purchased.

The anonymous channel between the first user and the provider can beimplemented by means of a chain of mixes, which can provide senderanonymity (to keep the first user's anonymity) with an anonymous replyaddress (to provide an address to the provider to send the usage rightscertificate and the content). The concept of mixes is further describedin the paper “Untraceable Electronic Mail, Return Addresses and DigitalPseudonyms” by D. Chaum, Communications of the ACM, February 1981, vol.24, no. 2, which is herein incorporated by reference.

The usage right certificate described above included the concealingdata, i.e. the random value RAN. It should be realized that theconcealing data could just as well be provided outside of thecertificate.

How the first user later gets access to the content in the contentstore, which can take place using the same or another device, will nowbe described with reference to FIGS. 1 and 3, which latter Figure showsa flow chart of this method.

Assuming the first user is using the same device 20, the first user isfirst authenticated with the device 20, step 40. This is done throughhim proving that he, or rather his smart card, knows a secret key SK,which corresponds to his public key PK. Through this authorization thepublic key PK of the first user is thus disclosed to the device 20.Thereafter the first user sends a request for access to the contentusing the content identifier cr_id to the device 20, step 42. Device 20then contacts control unit 14, which fetches the usage right certificatefrom the usage right store 16, and sends it to device 20. Device 20checks the received public key PK of the first user against theconcealed public key H(PK//RAN) in the usage right certificate UR, step44. Since the hash function H is publicly available in the system, thedevice 20 can easily verify that it is the first user by running thehash function on the received public key using the random number RAN inthe usage right certificate and checking the value of this just run hashfunction with the corresponding value in the usage right certificate UR.In dependence of this check, i.e. if the values are the same, the device20 fetches the content from control unit 14 (which fetches it from thecontent store 18) and thereafter gives the first user access to thecontent in contents store 18, step 46.

The content is normally encrypted and the device needs to decrypt thecontent with a decryption key in a known fashion after the performing ofthe above-mentioned steps in order for the user to actually access thecontent.

A secure channel can be set up between the first user's smart card andthe device 20, by first establishing a common secret key, for instanceby using a protocol such as Diffie-Hellman, and then encrypting allsubsequent communication between those two parties with that sharedsecret key, in order to prevent an eavesdropper from learning the publickey of the first user.

Now a situation will be described in which a second user belonging tothe same domain and having the right to access the content obtained bythe first user accesses the content. This description is made withreference to FIGS. 1 and 4, of which the latter shows a flow chart ofthe method of accessing the content by the second user.

First of all it should be mentioned that the server 11 includes a domaincertificate store 12, in which a domain certificate DC is stored. Thisdomain certificate can have the format:DC={PK, PK′, PK″, . . . },_(signTTP),Where PK, PK′ and PK″ indicate public keys of the first user, the seconduser and a third user, respectively. The expression signTTP indicatesthe signature of a trusted third party on the certificate, such as thecommunity administration. The domain certificate is also publiclyavailable in the whole domain.

The second user can for instance be using device 22. The second user isfirst authenticated with the device 22, step 48. This is done throughhim proving that he, or rather his smart card, knows a secret key SK′,which corresponds to his public key PK′. Through this authorization thepublic key PK′ of the second user is thus disclosed to device 22.Thereafter the second user sends a request for access to the contentusing the content identifier cr_id to the device 22, step 50. Whendevice 22 receives this request, it contacts control unit 14, whichfetches or retrieves the domain certificate DC from the domaincertificate store 12 and sends it back to device 22. It then comparesthe public key PK′ against a group of public keys in the domaincertificate DC, step 52. Here it compares the public keys such that itcan determine that the public key PK′ of the second user is groupedtogether with a number of other public keys in the domain. The device 22also retrieves the usage right certificate UR from the usage right store16, step 53, via a request to the control unit 14, and checks all thepublic keys of the group against the concealed public key H(PK//RAN) inthe usage right certificate UR, step 54. This check for all public keysis performed in the same way as was described for public key PK inrelation to FIG. 3. In dependence of this check, i.e. if any of thepublic keys correspond to the concealed public key in the usage rightcertificate UR, the device 22 thereafter gives the second user access tothe content in contents store 18, step 56.

In this way it is guaranteed that other users of the domain are allowedaccess to the content, while at the same time allowing privacy to thefirst user.

The above described scheme for checking the public keys of the domaincertificate is working well for small systems, i.e. where there are nottoo many users. In case the system gets bigger it is however burdensometo find the public key of the first user in the domain certificate. Inorder to ease the search, the usage right certificate is in analternative embodiment provided with an index indicating the public keyof the purchaser, i.e. the public key PK of the first user. In onevariation of the invention this index is made up of the few or firstnumber of bits of the public key of the purchasing user. In this wayonly public keys, which have these number of bits in common aresearched, which makes the processing faster. This solution has theslight disadvantage of giving up some of the privacy of the public keyof the purchasing, i.e. first user.

As stated above, the domain certificate is public. When the usage rightis stored together with this domain certificate as is shown in FIG. 1, amalicious party or attacker has all the public keys available to him andcan then find out which user has purchased a certain content. In orderto avoid this problem, the domain certificate DC can be provided in analternative form given below.DC={H(PK), H(PK′), H(PK″), . . . , SK_(D1)[PK//PK′ . . . ]}_(signTTP),Where SK_(D1) is a first secret domain key shared by the domain membersor the users of the domain and stored in their smart cards. The users inthe domain generate it without any interference from the contentprovider, in order to provide privacy. H is here again a known hashfunction, while SK_(D1)[PK//PK′ . . . ] denotes the encryption of theconcatenation of all the public keys in the domain using the firstshared secret domain key. This allows each user of the domain toretrieve the public keys.

An alternative way for a second user to access the content will now bedescribed with reference to FIGS. 1 and 5, which latter Figure shows avariation of the method in FIG. 4.

The second user is again using device 22. The second user is firstauthenticated with the device 22, step 58, and thereby the public keyPK′ of the second user is disclosed to the device 22. Thereafter thesecond user sends a request for access to the content using the contentidentifier cr_id to the device 22, step 60. When the device 22 receivesthis request it fetches the domain certificate DC from the domaincertificate store 12 via the control unit 14 and compares the public keyPK′ against a group of concealed public keys in the certificate DC, step72. Here the device 22 performs the known hash function H on thereceived public key PK′ and finds the corresponding hash value in thedomain certificate DC. Thereafter the device 22 sends the encryptedconcatenation of all the public keys in the domain SK_(D1)[PK//PK′ . . .] to the second user or rather to the smart card of the second user,step 74. The smart card of the second user decrypts this information inorder to obtain the public keys of the users in the domain, step 75.Thereafter the device 22 receives all the decrypted public keys in thedomain from the second user, step 76. Similar to what was describedearlier, the device 22 then retrieves the usage right certificate UR,step 77, and thereafter the steps of checking and giving access, steps78 and 80, are performed.

There exists another way to prohibit a malicious user or attacker tofind out what content a certain user has purchased, when the usage rightcertificate is stored together with the domain certificate, which makesall the public keys available to the attacker as described above. Thisother solution to this problem is to provide the random value in theusage right certificate encrypted.

A modified usage right certificate would then have the followingstructure:UR={cr_id, H(PK//RAN), SK_(D2)[RAN]}_(signCP),where the random value RAN is encrypted using a second secret domain keySK_(D2) stored in the smart cards of the users and shared by all thedomain members. The value RAN is as mentioned previously the randomvalue selected by the first user when purchasing the content. In casethe value RAN is not provided in the usage right certificate, thisencryption would of course not be necessary to include in thecertificate, but might be provided outside of the certificate if it isneeded.

When the first user purchases the content, the method described in FIG.2 is adjusted slightly so that the user has to encrypt the selectedrandom value RAN with the key SK_(D2) in the smart card and also sendthis encrypted value in the request. The content provider then alsoincludes this encrypted random value in the generated usage rightcertificate.

In order to provide access to the content for the first user, referenceis now being made to FIGS. 1 and 6, which latter Figure shows a flowchart of a first variation of the method shown in FIG. 3.

Under the same assumption that the first user is using the device 20,the first user is first authenticated with the device 20 in thepreviously described manner, step 82, such that the public key PK of thefirst user is disclosed to the device 20. Thereafter the first usersends a request for access to the content using the content identifiercr_id to the device 20, step 84. When the device 20 receives thisrequest it fetches or retrieves the usage right certificate UR from theusage right store 16 via the control unit 14, step 85, and sends theencrypted random value SK_(D2)[RAN] to the first user, step 86. Thisvalue is provided to the smart card of the user, which decrypts thevalue and returns the now unencrypted value RAN to the device 20, step88. As the device 20 now has the decrypted value RAN, it can continuewith the steps of checking public key against concealed public key inthe usage right certificate, step 90, and providing the first user withaccess to the content, step 92, in the same way as was described inrelation to FIG. 3.

When a second user is granted access to the content based on this randomnumber encryption, the method described in FIG. 4 can be used instead ofthe longer method described in FIG. 5. The method described in FIG. 4then has to be modified slightly so that the encrypted random value issent to the smart card of the second user for decryption before the stepof checking public keys in the domain certificate against the concealedpublic key in the usage right certificate is performed. The method inFIG. 5 can of course also be used, but it does not add any additionalsecurity and thus only complicates the authentication of other users inthe group.

There is yet another aspect of the present invention which has to beaddressed, and that is the problem of privacy, when the users in thedomain are changed, by adding or deleting members.

When the members of the domain are changed, the domain certificate hasto be changed or replaced, stating the new membership relations ofpublic keys to the domain. Also usage right certificates may have to bereplaced if they include the term SK_(D2)[RAN].

When a new user enters the domain without bringing any own usage rightswith him, he must get access to the secret domain keys SK_(D1) andSK_(D2) in the cases where they are used. This is done in order for himto access content owned by other domain members. Naturally he also hasto have a public/secret key pair, where the public key also has to beprovided in the new domain certificate.

When a person leaves a domain without taking any usage rights with him,he can no longer access any content belonging to other users of thedomain, provided the domain certificate is updated properly. He willhowever still have at least the second secret domain key SK_(D2), whichhe can use to calculate RAN with. This means that the privacy is nolonger guaranteed regarding this leaving user. The solution to thisproblem is to change the second secret domain key after the user leavesthe domain and issue new usage right certificates with the new key. Theold key must however be stored in order for the old usage rightscertificates to be valid. Eventually new version of old usage rightcertificates will have to be issued with the new second secret domainkey.

If a leaving user takes his usage rights with him also the second secretdomain key of the leaving user SK_(D2) should be changed for the sameabove described reasons.

If an entering user brings his usage rights with him, again he must getaccess to the secret domain keys SK_(D1) and SK_(D2) in the cases wherethey are used. The entering user's usage rights must be re-issued withthe secret domain key SK_(D2) in order for the users in the domain to beable to use the entering user's usage rights.

There is thus a need for re-issuance of certificates in the special casewhen the domain certificate membership changes in order to guaranteeprivacy and the rightful access to content to the users entitled to thecontent.

When re-issuing certificates with a new second secret domain key carehas to be taken that a certificate of one user in the domain is notwrongfully assigned to another user.

With a usage right certificate of the form:UR={cr_id, H(PK//RAN), SK_(D2)[RAN]}_(signCP),the content provider is able to check that the value of the public keydoes not change without having to see the public key PK. This is due tothe fact that the hash function will have the same value in a newcertificate and because no other combination using other public keyswill give the same hash value.

The way a certificate is reissued is performed in the following way. Thecontent owner sends, through an anonymous channel, a request forreissuing a certificate including the old certificate UR={cr_id,H(PK//RAN), SK_(D2)[RAN]}_(signCP) together with a new valueSK′_(D2)[RAN]. RAN is here the same random value in both cases. Thecontent provider checks the correctness of the old usage rightcertificate and then creates a new certificate where SK_(D2)[RAN] hasbeen replaced by SK′_(D2)[RAN].

If a user leaves a domain and takes his owned content with him but doesnot bring with him the secret domain key SK_(D2), he still needs to getaccess to the content. This is achieved by providing a variation of theusage right certificate according to the following:UR={cr_id, H(PK//RAN), SK_(D2)[RAN], SK_(p)[RAN],}_(signCP),where SK_(p) is a secret personal key of the user purchasing content andonly provided in the smart card of the purchasing user. This secretpersonal key is used to encrypt the random value RAN in a similar way tothe encryption using the second secret domain key. In case the value RANis not provided in the usage right certificate, this encryption would ofcourse not be necessary to include in the certificate, but might beprovided outside of the certificate if it is needed.

The way the content is purchased or obtained is generally performed inthe same way as was described in relation to FIG. 2, but with theaddition that the user encrypts the random value RAN using the secretpersonal key and encloses it in the request and the content providerthen includes the encrypted random value together with the rest of theitems in the usage right certificate.

The allowing of access to the usage right certificate to the first userwho originally purchased the content after leaving the domain will nowbe briefly described in relation to FIG. 7.

The first user is first authenticated with a device in the previouslydescribed manner, step 94, such that the public key PK of the first useris disclosed to the device. Thereafter the first user sends a requestfor access to the content using the content identifier cr_id, step 98.When the device receives this request it fetches or retrieves the usageright certificate UR from the usage right store 16 via the control unit14, step 99, and sends the encrypted random value SK_(P)[RAN] to thefirst user, step 100. This value is provided to the smart card of theuser, which decrypts the value and returns the now unencrypted value RANto the device, step 102. As the device now has the decrypted value RAN,it can continue with the steps of checking public key against concealedpublic key in the usage right certificate, step 104, and providing thefirst user with access to the content, step 108, in the same way as wasdescribed previously. In this way a user leaving the domain can stillaccess content purchased by him, which content is still attached to thedomain.

There are a number of further variations that can be made to the presentinvention. A usage right certificate can have an alternative form, whena different type of concealing function is used for concealing the useridentity, i.e. the public key. This form is the following:UR={cr_id, RAN[PK], SK_(D2)[RAN]}_(signCP),Where RAN[PK] denotes the encryption of the value PK using the valueRAN. Naturally the above described methods where H(PK//RAN) has beenused in combination with SK_(D2)[RAN] have to be replaced with RAN[PK].

Another possible variation is to encrypt the public key PK using thesecret domain key SK_(D2) instead of using the random number RAN.

The concealing of the public key makes it difficult for devices to findthe correct usage right certificate when a user has authenticatedhimself and asked for content using cr_id. In order to solve this avalue SK_(D2)[cr_id] is included in the usage right certificate. Thisvalue is basically an index that is calculated by means of the secondsecret domain key, but also the first secret domain key can possibly beused. What happens after authentication and when requesting content isthat any of the users requesting access can calculate the indexing valueand send it to the corresponding device. The device can now perform asearch on the fields cr_id and SK_(D2)[cr_id] and retrieve the correctusage right certificate.

Another possible variation is to provide the usage right certificatewith an extra field, a so-called rights attributes data field. A usageright certificate including such a field, as used in relation to thedescription related to FIG. 2-7, would then have one of the followingstructures:UR={cr_id, r_d, H(PK//RAN), RAN}_(signCP),UR={cr_id, r_d, H(PK//RAN), SK_(D2)[RAN]}_(signCP) orUR={cr_id, r_d, H(PK//RAN), SK_(D2)[RAN], SK_(p)[RAN],}_(signCP),where r_d indicates this rights attributes data field. The field isincluded in the usage right certificate by the content provider upon theanonymous buying of the rights by the user, and it indicates the rightsa user has concerning the usage of the content. It may for instanceindicate that the user is only allowed to watch the content up until acertain date or time. Such types of conditions on the usage of contentare chosen by the user upon the buying of the usage rights, according tooptions of usage, which are provided by the content provider. Thepayment of the usage rights is obviously done according to the optionchosen by the user. It should also be realized that this field can alsobe used in combination with all the previously described embodiments andvariations of the present invention.

The identity of the user in relation to the usage right certificate hasin the description above been made with reference to a public key. Itshould be realized that the invention is in no way limited to publickeys. Any type of user identifying information can be used such as aname, biometrics data or some other type of identity. In the same mannerthe data to which the user is associated has been described in relationto an identifier for purchased content. The data is not limited to this,but can be any type of data, such as user attributes like age or genderor any type of authorization. The description was also made in relationto the access to content, but the information related to the data canalso be such things as a list of preferences associated with the user.

The server and different devices in the domain are normally provided inthe form of computers or devices having computing capabilities havingprocessors and associated program memories for storing the program code.The different stores in the server are also provided in the form ofmemories. The functions for performing the invention are then preferablyprovided as program code in such memories. The program code for thedevices for the users can also be provided in the form of one or more CDROM discs which perform the functions of the invention when being loadedinto a program memory, of which one 10 is shown in FIG. 8. A lot of thefunctionality related to the users is strongly linked to the user havinga smart card, where keys and decryption functions are provided. In thiscase these smart cards can also have program code stored on them formperforming the user related parts of the methods described above. Asmart card reader having a smart card loaded into it, can then also beseen as being a computer. One such smart card 112 is schematically shownin FIG. 9.

The usage right certificate is also transmitted from both the contentprovider to the server 11 as well as between the server and the devices.FIG. 10 schematically shows one such data signal 114, having a headerincluding a destination address field 116 and a source address field 118as well as a payload 120 including the usage right certificateUR={cr_id, H(PK//RAN), RAN}_(signCP).

The present invention has many advantages. It allows a greater degree ofprivacy while at the same time allowing rightful users to access contentfrom anywhere in a public network of devices, with the proper and securechecks of the access rights for the content. The invention also relievesthe content providers the burden of generating many usage rightcertificates for the same content to the same buyer over and over again,as in the approach of temporary public keys.

1. A method of associating data with users involving associationsbetween user identifying information and data, characterized in thatconcealing data is used to conceal a user identity in the useridentifying information, such that it is possible to check for a givenuser identity whether the association applies to it.
 2. The methodaccording to claim 1, wherein the user identity is concealed using ahash function.
 3. The method according to claim 1, wherein the useridentity is concealed using encryption.
 4. The method according to claim1, wherein the concealing data comprises a random value.
 5. The methodaccording to claim 1, wherein the associations are publicly available.6. The method according to claim 1, further comprising the step ofproviding an association.
 7. The method according to claim 1, furthercomprising the step of receiving a request for an association, and thestep of providing the association.
 8. The method according to claim 6,further comprising the step of signing the provided generatedassociation.
 9. The method according to claim 7, wherein the requestincludes the user identifying information in which the user identity isconcealed (step 32) using concealing data.
 10. Method according to claim1, wherein the concealing data is encrypted by a secret user key. 11.Method according to claim 1, wherein said concealing data remains fixedfor reissued associations.
 12. Method according to claim 1, wherein theassociation is a digital certificate.
 13. Method according to claim 12,wherein the digital certificate is an SPKI authorization certificate.14. Method according to claim 12, wherein the association includes theright to access purchased digital content.
 15. Method according to claim1, wherein the association comprises a content identifier.
 16. Methodaccording to claim 1, wherein the association comprises a rightsattributes data field.
 17. Method according to claim 1, wherein theassociation includes an index indicating the right user identifyinginformation associated with the user.
 18. Method according to claim 1,further comprising the step of sending a request in relation to saiddata including the concealed user identifying information (step 32). 19.Method according to claim 18, wherein the request includes theconcealing data in order to enable revealing of the user identifyinginformation.
 20. Method according to claim 18, wherein the requestfurther includes a secret security identifier.
 21. Method according toclaim 18, further including the step of encrypting the concealing databy using a secret domain key, such that the concealing data is encryptedin at least the request.
 22. Method of giving a user access toinformation in relation to an association between a user and dataincluding the steps of: receiving from a user a request concerning saiddata using user identifying information related to the user, (steps 42;50; 60; 98; 84), retrieving the association including user identifyinginformation that has been concealed using concealing data, (steps 43;53; 77; 85; 99), checking the concealed user identifying information inthe association, (steps 44; 54; 78; 90; 104), and providing the userwith information related to the data, (steps 46; 56; 80; 92; 108) basedon a correspondence between the concealed user identifying informationin the association and user identifying information at least linked tothe user.
 23. Method according to claim 22, wherein the step ofproviding the user with information comprises providing the user accessto content corresponding to said data, (steps 46; 56; 80; 92; 108). 24.Method according to claim 22, further including the step of performingauthentication of the user (steps 40; 48; 58; 82; 94).
 25. Methodaccording to claim 22, wherein the user identifying information receivedfrom the user is the same as the user identifying information in theassociation and the step of providing is based on a correspondencebetween the concealed user identifying information and the useridentifying information received from the user.
 26. Method according toclaim 22, wherein the user identifying information received from theuser is different than the user identifying information in theassociation and further including the step of: comparing the useridentifying information of the user against a user domain certificateincluding user identifying information related to all users in a domain,(steps 52; 72), wherein the step of checking concealed user identifyinginformation in the association with user identifying information (steps54; 78) is performed on user identifying information in the domaincertificate, and the step of providing (steps 56; 80) is performed basedon a correspondence between the concealed user identifying informationin the association and any user identifying information in the domaincertificate.
 27. Method according to claim 26, wherein the domaincertificate includes concealed user identifying information of all theusers in the domain and an encryption of a concatenation of all useridentifying information in the domain using a secret domain key. 28.Method according to claim 27, further including the steps of sending theencrypted concatenation of all user identifying information to the user(step 74) and receiving identifying information about all users in thedomain from said user (step 76).
 29. Device (112) for hiding theidentity of a user in an association between said user and data arrangedto: conceal user identifying information using concealing data forprovision of the concealed user identifying information in theassociation.
 30. Device (20, 22, 24) for giving a user access toinformation in relation to an association between a user and dataarranged to: receive a request from a user concerning said dataincluding user identifying information relating to the user, retrieve anassociation between the data and a user including user identifyinginformation, which has been concealed using concealing data, check theconcealed user identifying information in the association, and providethe user with information related to the data based on a correspondencebetween the concealed user identifying information in the associationand user identifying information at least linked to the user.
 31. Device(20, 22, 24) for obtaining information in relation to an associationbetween a user and said data arranged to: receive user identifyinginformation related to a user that has been concealed using concealingdata, and send a request concerning said data including the concealeduser identifying information, so that an association between the userand said data comprising the concealed user identifying information canbe received.
 32. Device (26) for providing information in relation todata while concealing the identity of at least one user in relation toan association between the user and said data arranged to: receive arequest concerning said data including the user identifying informationwhich has been concealed using concealing data, and provide anassociation between the user and said data comprising the concealed useridentifying information.
 33. Computer program product (110) for giving auser access to information in relation to an association between a userand data, to be used on a computer comprising a computer readable mediumhaving thereon: computer program code means, to make the computerexecute, when said program is loaded in the computer: upon receptionfrom the user of a request related to said data using user identifyinginformation related to the user, retrieve an association between a userand said data including user identifying information that has beenconcealed using concealing data, check the concealed user identifyinginformation in the association, and provide the user with informationrelated to the data based on a correspondence between the concealed useridentifying information in the association and user identifyinginformation at least linked to the user.
 34. Computer program product(112) for hiding the identity of a user in an association between saiduser and data, to be used with a computer comprising a computer readablemedium having thereon: computer program code means, to make the computerexecute, when said program is loaded in the computer: conceal useridentifying information using concealing data for provision of theconcealed user identifying information in the association.
 35. Computerprogram product (110) for providing information in relation to datawhile concealing the identity of at least one user in relation to anassociation between the user and said data, to be used with a computercomprising a computer readable medium having thereon: computer programcode means, to make the computer execute, when said program is loaded inthe computer: provide an association between the user and said datacomprising user identifying information that has been concealed usingconcealing data.
 36. A data signal (114) for use in relation to data(cr_id) and comprising an association between a user (PK) and said data,which association (UR) includes user identifying information (PK) thathas been concealed using concealing data (RAN).